88: Infosec Sherpa with Tracy Z. Maleeff

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Tracy: My path into information security began with me crying on a train. I had worked at law firm Libraries for a while, for almost 15 years, I think maybe ten years. And I just felt that I didn’t have anywhere else to go, that I had gone as far as I could, and I felt just really kind of lost and wasn’t really sure what was going on with my career. And this made me sad. So when I commuted in and out of the city on the train, I would cry. And as I’ve told this story before, it wasn’t like quiet, demure crying, of course. It was just like ugly crying with sunglasses on, because it was very stressful. You work so hard to get to somewhere in your career, and then you look around and you’re like, this is it.

Tracy: This is what I worked off for, and it’s not as fulfilling as I thought it was going to be. So I started doing some reading on the train, and I read this article in Entrepreneur magazine, how to Future Proof Your Career in 2015. And that was something that I was very keen about, was the future proofing aspect, because at the time, there was a lot of layoffs in the law firm and library worlds, and I just didn’t want to wind up being one of several law firm librarians looking for a job in Philadelphia, because there’s only so many to go around.

Tracy: So I was trying to think of something that would be more long term. So this article gave some tips, and one of the tips they gave is really where I got introspective, and it said, look back at all the past jobs that you’ve had if you don’t have that much work experience. Look at classes and volunteer situations, things like that, and find if there’s a common thread of something that interested you, excited you, et cetera.

Tracy: And I did. I thought about it, and I realized it was tech. Tech was the thing that was my common thread. So, for example, I once had an office job on the campus of Penn State. And just playing around with the computer, I managed to find this back channel email network that nobody seemed to know existed and things like that. I always like to kind of poke around and find things, so remembering this, and so I thought, okay, I am going to declare 2015 the year of my career. 

Tracy: This is that I decided. New Year’s Eve, 2014. I was watching Guardians of the Gal of the Galaxy with my husband, and I was having an orange soda with whipped cream flavored vodka, which I highly recommend. 

Rohan: Oh, my God. That’s lethal. 

Tracy: Yeah, it tastes like an orange creamsicle. Yeah. 

Rohan: What was this thing called? 

Tracy: Oh, I don’t know what it’s called. I knew that the flavors would be good together. 

Rohan: Nice. 

Tracy: And yeah, I enjoyed my beverage and just kind of thought about it and yeah, that’s when I had that declaration, you know what? I’m going to make 2015 the year of my career. I’m going to explore some options and try to figure out a better way forward. So then I spent January 1 watching football games and parades, and in Philly we have the Mummers, and I sat in front of the TV, and I redid my resume and I redid my LinkedIn profile and things like that. 

Tracy: And then I applied for a couple library jobs. And I did this on purpose because I wanted to make sure that I was finished with Library World. So as expected, I almost immediately received feedback from those three jobs that I applied for. I got interviews right away. No, that part wasn’t surprising. So I went on each of those interviews, and that’s what helped cement that I was over it, because I had the realization of, okay, this is just the same at a different law firm. And that’s what I needed to know, because I didn’t want to move forward. And this is what I recommend for anyone. 

Tracy: Because you don’t want to backtrack, you don’t want to have a regret of, like, well, was I not really done with my other career yet, so that was just an exercise of me making sure that I was over it. And I definitely was over it. And like I said, that’s what I realized. Okay, so changing firms won’t matter. This is all just the same everywhere. So that’s when I decided to that just took up all of January of 2015. 

Tracy: So starting February, I went to tech meetups. I went to workshops, and it was a little bumpy because to be honest, I was going to a lot of tech meetups. Tech meetups are not security meetups. It’s a different type of people, different values, different things that they care about. And honestly, I didn’t really like those people that I I just didn’t really find that I clicked with. Know, in some cases, if you go to a tech meetup, everybody wants to either know, do you have a lot of money to invest? 

Tracy: Or do you have the next Facebook idea so people would talk to you just long enough to figure out if you fit into one of those either two categories. And that was really frustrating. And just I’m just trying to network and meet people and learn about tech and everybody’s it’s like day and night. 

Rohan: Everybody’s selling something. 

Tracy: Yeah, it’s like day and night. With the security and the tech industry. Everyone in security that I’ve met, for the most part, it’s always been like, let me give you some advice, or, Let me talk to you about this security principle. Everything in tech was just like, who do you know? How much are you investing? What ideas do you have? And things like that. I didn’t really enjoy that. So what happened was that a friend of my husband’s of mine was watching me spin my wheels. He graciously would go with me to a lot of these tech meetups, and I would leave. And I’ll be like, wow, they are just a bunch of jerks, aren’t they? 

Tracy: So finally, after a couple of months of this, he was just like, all right, I want to talk to you about the world of cybersecurity. Or as he referred to it, his first back end. He’s like, I’m going to talk to you about back end security. He said, I think you would be good at it. I think this would interest you. And I think you’ll find that it’s a much better fit than all this tech stuff that you’ve been spinning your wheels doing. Like, for example, I went to a Ruby on Rails workshop. 

Tracy: I walked out after 15 to 20 minutes because I thought to myself, I do not want this nonsense in my life, like, ever. So, I mean, I think I spent $25 on the workshop, and I paid for parking. But as I tell people, to me, that was money well spent, because I knew that I never wanted to learn that language. And also just that coding in general really wasn’t my jam. So sometimes you do kind of need to take the L for these things, but don’t look at it as a failure. It’s a learning lesson. 

Tracy: So I felt very comfortable being like, okay, great. I’ve just paid $30 to know that I never want to sit in a Ruby on Rails class ever again. So those were the kinds of things that I would do. I would go to different things and just be like, okay. And I obviously never did anything too expensive. But still, it was just like, okay, let’s try this out. So then I’m hearing about this back end stuff. And then one day, I guess it was August of 2015, the same friend was out in Las Vegas at Black Hat. 

Tracy: And I get a text on my phone of a photo of the booth at Black Hat for the Women’s Society of Cyberjitsu. And he sent me a bunch of photos from their booth and gave me their links and all that stuff. And he said, I just told them all about you. They’re expecting to hear from you. He said, you get involved with this group. This is going to help you. And like, two to three weeks later, I was taking their Cybersecurity Basics or Fundamentals of Cybersecurity workshop. 

Tracy: It was a two part workshop at the University of Maryland and I’m in the Philly area. So I drove down like 3 hours to go. Do know? Yeah. My joke is they had me at port scanning. I was like, Where has this stuff been all of my life? Like, yeah. This is amazing. And I know that there’s been a lot written and said about same sex education or women only education. And I have to say that did very much help me. For example, because it was just a room full of women. 

Tracy: The instructors were women. And it’s not that I don’t resent male teachers or anything, but I’ve also been in enough classes to know that usually there’s always one guy who knows everything. And case in point, I went to an Introduction to Python class, and it was geared towards women, but it was open to anyone. But there was one guy in the class who did nothing but Heckle, the woman instructor. But nobody would say anything, and I don’t care. I’ll say whatever. 

Tracy: Finally, he kept interrupting and correcting her and things like that. And I started to get the sense of he shouldn’t be in an introduction class, like, if he knows so much. So one of the times he started to get into it with her, he got frustrated and declared how many years of Python experience he had. So that’s when I yelled out, then why are you here? This is an introduction to Python class. And I told him, I’m like, Please leave or be quiet because you’re interrupting. So having had that experience before of no offense, gentlemen, but it only takes one jerk man in a classroom of women to really kind of ruin the experience for everyone, because he was very polarized, I just wanted to tell that story to contrast with being in a room full of women. 

Tracy: The teachers were women. It was just a different atmosphere. There was nobody there, like calling out Heckling or anything. We were just there to learn. So I did that, and cybersecurity became my quirky hobby. I set up all kinds of Google alerts. I tell people do this all the time. I wanted to see what sort of news I was clicking on. So I had tech alerts, cybersecurity alerts, and I found myself always clicking on anything cybersecurity related, like, oh, there was a breach. Let me click on that. 

Tracy: So it became my quirky hobby, and I just started to absorb everything. So to the point. September 2015, I reached out to the CIO of the law firm where I was working, and I said, hey, cybersecurity has become my quirky hobby. What is the law firm doing for Cybersecurity Awareness Month next month, and how can I get involved? To which he responded what’s? Cybersecurity Awareness Month? So, kind of anticipating this, I actually had a whole proposal ready to go. I had this five point plan at that time. There were five Fridays in October that year. 

Tracy: And I said, every Friday, let’s send out an infographic about just basics cybersecurity. So I had a theme for each week. I don’t remember all the themes, but one was the perils of free WiFi and phishing emails. Don’t be a great catch. Like your basic run of the mill what I understand now to be like your entry level cybersecurity awareness. But again, for me at that time, I was still kind of clueless, working without a net, but to me that they were good. 

Chris: And for the end users, you want to keep it high level. 

Tracy: Yeah, exactly. So I just kept it to things like that. I do have to say though, so he loved everything. I sent him my whole plan. I sent him the little portfolio I created. The only thing that I couldn’t get pushed through was explaining what a VPN was. And his reasoning was, well, we don’t want people using VPNs. I’m like, yeah, I kind of think you do if they’re not on our network. And he was putting up a fight with me on that. He’s like, we don’t want to tell people that VPNs exist. And I’m like, you don’t think that anybody knows about VPNs? Okay? So basically inside my head I’m thinking, just let this battle go. You won the war and you’re able to run this program. 

Tracy: Because I wanted to dig in. And I’m like, so that was the only thing I had to take out was VPNs. I’m like, fine. So he assigned a help desk person and a marketing person to me. And remember, keep in mind I’m still just the librarian in the law firm. And he said, I have someone from the help desk, someone from marketing. You’re going to run point on this, but make sure that they see everything. The Help desk person was just to double check my tech. 

Tracy: And the marketing person was more familiar with how things are presented with the style within the firm and stuff. So that went out. And November 1, I followed up with the CIO and said, so how do you think it went and what else can I do? And he said, yeah, it went great. And he goes, Listen, you can do that again next year. And I thought, oh no, I’ve always jokingly said, I’ve tasted the blood of security and I want more. So talked to my husband about basically, you know, we just kind of came up with a plan for our household finances because my plan was to up and quit my job. 

Tracy: I was going to start an LLC, which I still have running today called Sherpa Intelligence. So I got this LLC off the ground, and the plan was just to do whatever freelance research and social media work I could do, just to bring in any income while I studied and networked and just immersed myself in Infosec world in order to get a job in it. January 2016 came around. I resigned from the firm, and a couple of weeks later, back when RSA was held in February, I was on a plane to San Francisco because I had a client hire me to go out to RSA to help them with some things on site and do some on site social media work for them. 

Tracy: And while I was there, I also got another client who wanted me to do some research for them. And I got another client, all from the showroom floor, who hired me to help their people with social media training. So I did a lot of cybersecurity adjacent work. I went to every workshop, every conference that I could. I was able to talk more companies into hiring me to go to conferences and do their social media on site. 

Tracy: So I went to something ridiculous, like twelve or 15 conferences in like a year and a half, and having various varying degrees of them paid for or be covered. But I just was a sponge, absorbing everything, meeting people. I’m well aware of the value of networking, so I knew that that was important. So I did that for a year and a half. And what I always tell people when they’re trying to get into, I guess, any industry, but specifically Infosec, you need to put some time markers in place because otherwise you could just be job hunting forever. 

Tracy: And I said, some of those time markers can be in sand and some can be in stone, and just know which ones can be changed or should be changed, and which ones have to stay in stone or cement. And for me, it was December 31, 2017. If I didn’t have any realistic offers or leads, my husband and I were going to consider relocating where there were more jobs. Because keep in mind, this was pre pandemic. Trying to find remote work as an entry level person was near impossible. 

Tracy: And Philadelphia, especially a couple years ago, didn’t have as many cybersecurity jobs, so it was starting to look kind of bleak and yeah, so I just kept at it. Kept at it. Finally, one day in April, I received of 2017, I received four rejection emails in one day. And I was just so annoyed. And I was complaining to someone I knew already in the industry. I said, what do I have to do just to at least get in front of people to get them to understand my skill set? Because I always knew deep inside I knew that my library science skill set would be useful in information security. 

Tracy: I just knew that, and that was my driving force. So he said, Listen. He said, do you mind if I post about you on my social media? He’s like, I can’t believe you haven’t even gotten any interviews yet. So at that point, I was like, sure, just go ahead, do it. So I remember he tweeted at me, and it was almost like this admonishing tweet of like, I can’t believe none of you people have hired this woman. 

Tracy: And then, like, 20 minutes later, I had a direct message from someone who would become my first manager and said, oh, I’ve been following you for a little bit, and I didn’t realize you were looking for a job. Which is another point I like to say here. For people job hunting, as obvious as you think you’re being looking for a job, you need to be even more obvious. Because I thought I was being very obvious that I was looking for a job.

Tracy: So you have to be even more obvious that you’re looking. And he said, yeah. He’s like, I’m impressed with your skill set. I’d like to bring you in. We have an entry level slack analyst position. So, yeah, two weeks later, I was interviewing, and I got the job and that I was a SoC analyst for a global pharmaceutical company. And just one quick funny thing about my interview. It happened the same day as Wanna Cry that minute. My interview was in the afternoon. 

Tracy: But I remember that know, again, because of the time difference with the UK and where I am in the like, we kind of heard some of had I don’t know if you remember back to that were we didn’t even have the name. Um, but just bits and pieces of just kind of hearing the NHS was compromised and whatnot. So I remember thinking to myself, if I were interviewing me, I would ask me some things about this issue that’s growing like it was still in progress. 

Tracy: So I gathered what little information that I could, and I remember practicing as I was driving to the interview three ways to remediate this issue that we barely had any information about yet. And I am not joking. At the end of my interview, which went like an hour and a half, it went really long, the head person in the room looks at me and says, oh, do you know that there’s something going on today? And I shared what I knew. 

Tracy: He said, okay, great. I’m not joking. He looked at me and said, name three ways you would remediate this problem. And I’m cracking up going, Practice this in the car on the way. So the first thing that I don’t even remember if I got to say my second two, because the first one they never even thought of. I said my first one, which I’ll share what it was in a second. It’s not like a big secret or anything, but as soon as I said the first one, they all turn to each other and they go, we never even thought of that. 

Tracy: And what I said was I said, okay, well, my first act of remediation would be sending out an urgent alert to the company because of it being a pharmaceutical company. I said, they’re likely to have contacts at the NHS. And I said, So if they get an email. And I said, we should just assume that the NHS email at this point is probably compromised if their whole network is compromised, so that any phone calls, texts or emails they receive could be phishing. I’m like, I think we need to make that assumption at this point. 

Tracy: And I said, So you need to maybe put some filters in place, get knowledge out there and just make people aware. And they were like, they were concentrated on the network side, which I understand, but this is what I bring to this industry, is a different way of looking at things. And that’s when they were like, oh, we never even thought of that. And I said, well, yeah, that’s the first thing that I would have done, was just to give everyone a heads up of, like, hey, that person you think you know at the NHS may not actually be contacting you. 

Chris: So then they’re like, okay, you’re hired. 

Tracy: Yes, I got hired, and the rest is kind of history. So that’s the unabridged loan version. And I know to some people, they think, oh, it took a year and a half for you to transition. Well, yeah, because you have to build your skills. I don’t have a tech background, so the amount of time may vary for people, but you should be prepared that it might be a little difficult at first, especially if you’re someone like me coming in without a tech background. Now, admittedly, things are better now, but remember back in 2017, 2016, I don’t want to say the name of the company, but I actually had a very famous consulting company, someone look at my resume and said, you need to take this L Word off of your resume. And I’m like, l word library. 

Tracy: She’s like, you need to take library off of your resume. No one’s going to hire you if you have the Word library on here. And my response was, well, then I’d just be lying, because how can I remove it from I’m like, it’s literally the name of one of my master’s degree. And she kept telling me, oh, nobody’s going to hire a librarian for this. And I’m just glad I didn’t listen to her. I was just more annoyed. I was like, all right. 

Rohan: It’s a good statement of the industry, though. 

Tracy: Yeah. 

Rohan: People generally only buy commodity roles. They don’t seek to connect the role to the person. And actually, the person is the competitive advantage. The role is just a shell. 

Tracy: Yeah. So I didn’t listen to her. But, yeah, I do like to share these stories because of other people coming into the industry. I also want people to emphasize upon people, you do need to do your work. After I decided I wanted to make this career move, I commuted on the train, listening to Cybersecurity podcasts on my train ride. The one I liked in particular was Defensive Security with Jerry Bell and Andrew Lurg, because they would cover the news items that week, the cybersecurity news items, and then talk about them, break them down. 

Tracy: I would DM them on Twitter questions after I’d listened to their session, and they would answer know, answer my questions and things like that. I used to go to conference sessions, conference talks, technical talks, and I would take copious notes even if I didn’t know what they were saying. If I heard a word that I didn’t know and didn’t know how to spell it, I would spell it phonetically. And then as soon as the talk was done, I would find someone, whether it be the speaker, if they were available, or just someone around me, I’d say, hey, the speaker said this word during their talk. 

Tracy: I don’t know what this is. Did I spell it right? And a lot of times they would just take my notebook, spell it the right way and explain what it was. I don’t think I would have that experience if I had stayed on the tech track. I think the security world is much more amenable to helping people, is what I experienced. So, yeah, I don’t be afraid to just go into a session. So here’s a true story I’ll tell you about from Schmoocon. 

Tracy: So I honestly do not remember who this was, but I remember standing in the hallway at Schmoocon and this guy came up to me and he was, hey. I think he knew who I was from Twitter. And he’s like, you kind of look confused. And I said, Well, I don’t know which one of these three sessions to go into. And he’s like, well, listen. He’s like, I don’t care which session I go into. I have nothing else to do right now. I’ll tell you what. 

Tracy: You pick the session, I’ll sit next to you and I’ll explain what’s going on. And I was like, oh my God, that’s amazing. So I kind of call this like my goldilocks moment. So we walked to the first room. There was three big rooms in this hallway. So we went to the first room and I looked at the sign outside of it and he said, what about this one? And I said, I don’t even understand the name of the session. 

Tracy: I don’t even know what some of these words mean. So he’s like, okay, let’s go to the second one. So we went to the second one and I said, Well, I recognize some of the words in that title, but I’m not entirely sure what it means. He’s like, okay, that’s fine. Let’s go to the third one. And the third session had Linux in the title. And I went, Linux. I know what that is. He’s like, all right, we’ll go in here and yeah. So we sat in the back, we tried to stay away from. People so we wouldn’t bother anyone. 

Tracy: And I also find it very useful if you take notes by hand. There’s also studies that say that you absorb more if you write it out. So, yes, I had my big, thick notebook with my pencil and yeah, so he sat next to me so I would write things down or he would grab my paper and did stuff like that. And yeah, it’s those kinds of experiences that I just really enjoyed the infosec community. And I know that might be a scary thought to people of like, oh, I can’t sit in a session that I don’t know anything that’s going on, or just interact with a stranger like that. 

Tracy: But you have to do these things. You have to make yourself feel uncomfortable in order to learn. And yeah, to this day I can’t tell you what that session was about, but it was something to do with Linux. But that’s how you learn things, you just have to kind of just jump in the deep end and surround yourself with it. 

Rohan: The characteristic of your tale is actually commitment to change and also then with that commitment to change, you had these two positive intercessions by people helping you through. And I think the connection is, generally speaking, if you make the effort to try and go through, then the chances of you getting some help is much higher. I e don’t just wait for the help, start that journey. 

Tracy: Oh, absolutely. And I’m very much against gatekeeping, obviously. I don’t know if anybody there are some people pro gatekeeping, but you do have to put some work in. I really have low tolerance for people who haven’t done any of their own research or homework and just come to me with questions. Like I had someone get on a call with me once and just said, how do you do security? I’m like, yeah, no, this calls, no, you need to go back and do some research. 

Tracy: So yeah, you’re right. And again, this comes from my librarian background. I am not going to approach someone unless I already have exhausted every outlet that I know to follow. And again, I’m not trying to be mean, but my time is valuable and how are you really going to learn if I’m just telling you? So I had a little bit of that happen before and that’s what I keep emphasizing. You need to put the work in. 

Tracy: There are some charlatans in our community who are selling boot camps and talking like, oh, get rich quick joining cybersecurity, things like that. You still have to know stuff and you have to still put the time in. And yeah, I knew that the learning curve for myself was going to be great because I didn’t have a technical background so I put the work in. But I was also realistic that I wasn’t going to be a network engineer. 

Tracy: I just knew that my aptitude and all and I’m like, okay, so I want to be technical enough that I can at least have a conversation with the more technical folks so that I can help translate that to the less technical people. And I decided that that was my goal and I was content with that, and there’s a value in that. And I think that’s what people need to understand is you also have to kind of understand your limitations of learning the tech. 

Tracy: Because I see some people just be brand new to the industry and say, well, I want to go be a pen tester. I’m like, okay, slow down, that’s great. And yes, we need pen testers, but do you even know anything about defense? Do you know anything about these tools? It’s fine to want to move fast and break stuff, but you also know how to put it together again, too. And I see too many people rushing to be Red Team without really even understanding what they’re doing. 

Tracy: So I kind of advise against that. 

Rohan: Wow, that’s actually an organizational necessity is a good Red Team. So therefore, if you have a bunch of people who are not quite capable red teaming your organization, you have a serious problem. 

Tracy: Yeah, I’ve come across some younger folks that don’t have technical chops, but all they want to do is Red Team. And again, not trying to discourage them, but making them aware of like, okay, well, this is what the Hill is going to look like for you. You can’t just walk into it. And I don’t think a lot of them understand that. I think a lot of people think they can just walk into entry level Red Team, and I think a very special work environment has to exist for that. I don’t want to say that it’s impossible. 

Tracy: I think it needs to be an organization that’s big enough to have a mentor to train you. Things. Like I said, I’m not trying to say that it doesn’t exist at all because then I’m sure I’ll get comments after this post of, well, I did this. Yes, I’m sure they exist, but I think they exist in special situations. When it’s a giant team that has time to train and do things like that, I don’t see a small company having the time or patience to do that. So that’s why I want people to be aware of what they’re setting their sights on and how feasible is that for you? 

Tracy: So, yeah, that’s kind of my story. People ask me, well, how did you know that library science skills would be useful? And it was just intuitive. I don’t know. I can’t tell you. I just didn’t know. 

Chris: Well, I love that story, and I think it’s the optimal segue into the topic of diversity. You have folks with different backgrounds, different perspectives, yet are able to enter the industry and be able to contribute, and you’re a strong advocate for creating a culture of diversity. So if you don’t mind, talk to me a little bit about that. What drives your passion for this cause and what steps do you believe are necessary to achieve a truly inclusive environment? 

Tracy: Sure, I can’t think about a time when I wasn’t interested in diversity, but let me just put it this way. I strongly believe in the principle that diversity of thought solves problems. I think a lot of times some people may recoil when they hear the term dei or diversity. Diversity means a lot of different things. It can also mean having someone only with a high school diploma versus people who went to college.

Tracy: It can mean went to an Ivy League school versus a state school. Yes, obviously it can mean race and religion and all that other stuff, but it can also mean a lot more. So that’s why I want people to really open up their eyes of what dei can be, because you want these different types of folks. A good example of this is threat intelligence. That’s something that I’ve been trying to get further pivot into, and I’ve heard from a lot of folks say, and I’ve been told directly, like, trying to get a job in it, oh, well, you don’t have military or government experience and we’re not really interested. 

Tracy: I’m like, I did high level research for law firms to get information for lawsuits. Like, they trusted me with that. I think I can do your other stuff. But at the same time, I’ve also heard threat intel managers say to me, I’d hire you in a heartbeat because everybody on my team was trained exactly the same way and everybody does things exactly the same way. That’s the kind of diversity where I’m talking about is you have a whole team of threat intel people who do all the same steps and think of everything the same way, and that’s going to leave a lot of stones uncovered. 

Tracy: And so that’s where I feel like I come in. And this actually happened the other day. I was on an interview. I don’t want to get too into detail in case they ask this all the time in their interviews, but they asked me a question and they told me afterwards that, yeah, at first I rattled off some of the answers they were expecting, and then as I was thinking about it, I was like, oh, wait. How about this? And again, I had that moment of we never even thought of that. 

Tracy: And they told me on the interview, right, that they said, of all the people we’ve interviewed, no one has ever given us and it was a good answer. They said, and this answer, and they’re like, that’s probably the best answer of them all, and you’re the only one who’s ever come up with that. And I gave my reasons why I said it, and they’re like, yeah, that makes perfect sense. And I could just see everybody looking at each other on the camera going, we never even thought of that. 

Tracy: So that’s what I mean by diversity of thought. And yeah, that’s what I bring into it. So that’s what I want people to not don’t clench, roll your eyes. When you hear about diversity and inclusion, it’s going to help you get stuff done if you have people looking at things differently. I saw that in the sock all the time. I had very technical people around me who could not comprehend why someone would click on a phishing email or they would put these controls in place that I had to explain to them, their job isn’t security. 

Tracy: Our job is security. You’re kind of deputizing them to do things that aren’t in their wheelhouse, and then you sit there and you call them dumb and stupid and get mad at all the end users. No, I felt like I was kind of the voice of reason at times with my different perspective. And a lot of that came from Library World. 

Rohan: It’s a common problem with assurance business units. In large organizations, they, when confronted with the need to move from direct to indirect measures, they come up short and they end up blaming the customer. And then what will happen is that business unit over time builds up a culture, and then the internal culture actually avoids that unit, and then that unit feels they’re being avoided, and then, okay, then they will double down and they end up Stalinist really quickly. 

Tracy: Yeah, that’s a great point that you mentioned that the talk that I created that was born out of my time in the SoC was empathy as a service to create a culture of security. I’ve never given the same talk twice, but I’ve given different versions of it. And one of the things that I’ve done is I’ve taken this principle of library science called the Reference Interview. It’s the seven step process which was designed to help librarians understand what a library patron wanted. Because how many times people walk into a library and just like, I want a book about cats, like, okay, could you narrow that down a little bit? So there’s this framework that exists of how to elicit what the patron really wants. 

Tracy: Okay, so I took the Reference Interview and correlated it to Information security. And that’s a big part of the talk that I give, and approachability is the number one thing. So when I give this talk, I say to the crowd, how many of your users are afraid of you? Afraid to approach the security team? And a lot of them raise their hands and I tell examples of true life examples from my experience of times when, because of my approachability, which is also called Librarian Face, which I still have, people feel comfortable coming to me directly, and they would say as much. They would say, I really don’t feel comfortable going to the main inbox of the team and who am I going to get? 

Tracy: I want to come to you directly and I’ll tell you, some sisos did not like that. I got in trouble and I was just exasperated. I’m like, I stopped a major issue from happening only because that person was comfortable to come to me and they didn’t see it that way. And that’s kind of frustrating. But I still talk about the importance of approachability. The best example I give is if you’re approachable, a user said, what would you rather do? 

Tracy: Be approachable? And a user caused you to eat lunch at your desk while you fixed a problem and you nipped it in the bud or you’re too scary and nobody wants to contact you and 1 minute till five on a Friday of a long weekend. All of a sudden the logs and everything light up because somebody was too scared to tell you about something and now it’s out of control and now you’re working late on a holiday weekend and people kind of like you hear grumbles of like, yeah, I’d rather work through lunch. 

Tracy: Yeah, being approachable will help save your weekend. If that’s the bluntest term you want me to use to get you to understand, then fine. Then that’s what I try to share these stories to get people to understand of. Like, if you’re approachable, you can squash these things pretty quickly, but if you’re not approachable, they’re going to linger. And then you’ll find out when you get paged at 03:00 A.m.. So I like to share stories like that of my time in the SoC, even though it was very briefly, but I basically have like four years of SoC experience between the New York Times and the pharmaceutical company. 

Tracy: And I share these stories because I want people to understand that these seven steps also like, listening for what people don’t say. People may not know the details that we need to know about an incident. So if they’re telling you what happened, I say to people, you’re the security professional. You should know in your head how to remediate this issue. So you should have a checklist going in your head of what did they hit? 

Tracy: Even if you have to write this down, you can do it that way. But I do it in my head and I listen to them and I’m checking off things, and then I realize something wasn’t ticked, and I go back, and then I ask the direct question. And then when you circle in on that, then you get the answer you want. The example of that is someone called me in the sock and said I clicked on what was a phishing email. 

Tracy: I went to the site, it didn’t do anything. I closed the browser, and I’m calling you. Now, a lot of people would think that was an open and shut case, right? For me, I’m like, let’s back up a little bit here. And I also try to be very careful with what action words I use because you don’t want it to sound like blame. So I didn’t say like, well, what did you do? So I’ll say, okay, after the link was clicked, what transpired on that web page that opened up? 

Tracy: And the person said, oh, well, it asked me for a username and login and I did that and I clicked enter and then the site didn’t do anything and then I closed the browser. Well, notice the first time they didn’t say that, right? They just said that. Okay, well now we have a new ballgame here that they just gave away their credentials. Right. So because I was going through the checklist in my head, I realized that there was some information missing drilled into it, got the answer I needed, and I asked them to go. I said, Can I put you on hold for a moment? I’m like, I need to block your login right now. 

Chris: Yeah, please hold. 

Tracy: Yeah, so just knowing how you resolve an issue is important to listening to what’s being told to you and then circling back and again, you don’t have to be mean about it. I didn’t say, what did you do after that? Okay, walk me through it and yeah, I realized, okay, so you just gave away your credentials. Okay, I need to hold for a second, let me go. And I quickly did that and then got them back on the phone and explained what happened. Like, okay, you’re going to get reset and all this, right, but people have to understand it. So this woman was saying, well, but I don’t understand because the website didn’t do anything. 

Tracy: So without getting too technical, just kind of explained to her like, well, it doesn’t need to show you anything, but on the back end it did capture your login. Again, you don’t know what people know and yeah, they might withhold details. Sure, they might withhold details because they know that they did wrong. Okay, fine, that’s one option. Or they don’t know that that’s an important detail because again, security is our job, not theirs. They just might honestly not even think that that’s a significant detail to share and there could be a variety of reasons and those usually are the main two. Either they knew they did wrong and they’re embarrassed or they’re scared they’re going to get fired or something. 

Tracy: The other option is they just didn’t know. They weren’t trying to hide anything, they just did. 

Chris: Yeah. And those are both fixable. 

Tracy: Yeah, exactly. 

Chris: You promote an open line of communication with zero shaming and then you enforce training to your end users. 

Tracy: Exactly. Yeah, I’m tired of this stupid user. This and whatnot? That’s not how you create a culture of security. And I also am a strong believer in teachable moments, which is, again, something else from library science, what a teachable moment is. And I did this a lot. If I had someone click on a phishing email, I would ask them if they had just another minute for me to go over it with them. And I’d share my screen and I’d use my mouth and I’d point out, here are some red flags here that you may have missed. 

Tracy: And I do it in such a way I’m not chastising them. I’ll say, even if I think that it wasn’t easy to spot fish, you don’t say that just like, oh look, you know, like here’s, you know, like, let me show you some red flags here. Not everybody was willing or able to stay on the phone with me, so I had a pre made slide that I would just send to them via email of just examples of what to look for and at least just giving them that information so they can be aware of stuff. 

Tracy: I pride myself on giving the a lot of end users seems to be a divisive term anymore. So I’ve also started using the term consumers of security because whether it’s the general public or within your organization, they’re consuming your security product. So that’s why I’ve been calling them consumers of security. So the consumers of your security, some of them, you can kind of make your deputies and enlist them to help you because a lot of times they’re on the front line seeing these phishing emails and phishing phone calls and things like that. So again, if you build up a rapport with someone, it can go both ways. They can shoot you over things real quick over email and go, this invoice doesn’t look right. 

Tracy: And speaking of that, any of the finance teams, if you work in a company, you all need to get together and have lunch. Because I never want a financial person accounts payable. Specifically, I never want an accounts payable person to be unsure about the validity of an invoice and just push ahead anyway because they’re too scared to contact security. Never want that to happen. Once at a place that I worked, an eagle eyed accounts payable person spotted that the swift number was different than what they normally used for this client. 

Tracy: And it turns out that it was bogus. It was a high level fish. The criminals did a really good job spoofing what a normal thing looked like. But she said that something like the account number or the Swift number, something like that, one of the numbers was different. And she came to me and said, what do I do? So we attacked it that way and gave her lots of praise and kudos and made sure her boss knew of like and of course it was for a large amount. I’m like, this could have been disastrous. 

Chris: Oh, 100%. 

Tracy: I strongly urge security teams to get to know accounts payable folks because, yeah, if they feel comfortable coming to you, there is a lot of good you can do with that. And I’ve had some false alarms I had one woman really concerned that the invoice looked different all of a sudden. She said, I’ve been paying this invoice for years, and now all of a sudden it looks different. Long story short, the company just changed the provider of their invoices, but also didn’t bother to tell anyone. 

Tracy: So she kept apologizing to me, and I kept telling her, like, no, you did the right thing. I’m thanking you for bringing it to our attention. And I also helped educate her along the way because she said, well, how if I just reply to this email and ask them if this is okay? And that’s when I had to educate her and say, well, let’s not do that because there’s a chance that you might be corresponding with the criminal. 

Tracy: Oh, I never even thought of that. So I said, yeah, let’s not do said but I said, do you know anyone at that? Like, if you heard their voice on the phone, you would know them? She said, yeah. She said, like Brenda or whatever. I’m like, do you have a phone number for Brenda? I said, again, let’s stay off of email. She said, yeah, I have a phone number. I said, do me a favor. Call Brenda. Ask her what’s going make sure it’s her. Ask what’s going on. 

Tracy: And that’s how she got to the bottom of you know, she had said to me, she’s like, oh, I would have just been emailing back and blah, blah, blah. And I said, I don’t know for again, this is before I knew that everything was okay, but I said, yeah. I said, we just have to assume that the network is compromised. Let’s just work off of that assumption. And then I gave her some knowledge going forward. She said, oh, okay. 

Tracy: If I ever see anything unusual from now on, I’ll know not to reply to the email. I’ll try to talk to someone, I’m like, yes, that’s the best way to do it. Yeah, I said she kept apologizing, and I’m like, this is my job. I’m like, no. And she did a good thing. So, yeah, you need to praise people. I used to give out things called cyber cupcakes because the company I worked for, it was so large and everybody was out everywhere, so I couldn’t physically give them a cupcake.

 Tracy: But I just found this JPEG image, and I would give it out to people if I thought that they submitted a sophisticated fish that they marked it as fishing. And I know that it sounds silly and I know that it sounds stupid, but I kid you not the positive feedback I got from people because I sent them a picture of a cupcake. 

Chris: That’s awesome. 

Tracy: Yeah, I had people write back to me, oh, this made my day. I wasn’t really sure about that one and about that email, and I would tell them why. I’d say, oh, I see that you submitted this email as Phishing, and I want to tell you that this is actually a very sophisticated Phishing email. Great job, Eagle Eye. You did good. Like, here’s a Cyber cupcake. I got so much positive feedback about that that the company was actually considering making it a more official thing that once a month there would be safe User of the Month sort of thing. Unfortunately, it never got off the ground and the layoffs happened and things like that. But, yeah, it was so well received that they wanted to make a program out of it, and it was just a silly cupcake. But, I mean, I was genuine when I sent it, and I just didn’t send it out willy nilly. 

Tracy: You had to earn that JPEG. 

Chris: I hear you. Well, Tracy, before you go, would you mind telling us where we can find you and connect with you online? 

Tracy: Well, Twitter is the easiest, I guess, but I’m pretty much infosec sherpa on most social media outlets. I do have a link tree, which I’ll send you, which kind of pulls together my talks and my social media and things like that. 

Chris: Okay, so you’re based in the Philly area, as am I. Where would you say is the best bar here in the area?

Tracy: Best bar is in my house. I have an impressive bar. So we moved into this house, like, less than about two years ago. It came with a cocktail room. It has its own refrigerator and bar set up, like a bar that you can walk up to. I’ll have to send you photos, and then I have just stacks of shelves of liquor when I have a wine fridge and everything. So, honestly, my house is the best part. 

Chris: Okay, so how about your favorite drink? 

Tracy: Gin and tonic. But it has to be very specific. It has to be good gin. So I like Bluecoat gin from Philly. 

Chris: Yes. 

Tracy: Yeah, love that stuff. So here’s my tip. If you get Bluecoat gins, barrel infused, I think they take, like, whiskey or bourbon barrels, and they put the gin in there. So it’s kind of like an amber color. If you take that with Fever tree’s aromatic tonic, it’s the pink tonic, and you do that with an orange twist, it feels like a hug inside your body. It’s so good. 

Chris: Sounds amazing. 

Tracy: And also, there’s this Australian oh, Rohan probably would know it. There’s this Australian gin that I like called Four Pillars, and they make this one called a bloody Charaz gin. They put the gin in shiraz wine barrels, and so it gets the red from the wine. Yeah, and that’s amazing as well. 

Chris: All right. 

Tracy: Yeah, I love a good gin and tonic, but it has to be good gin. Like, none of that. I can’t even think of a cheap gin. I don’t like sapphire. 

Chris: No, Bluecoat is the truth. Yeah, I know that gin very well. Now, tell me about ginfosec oh, ginfosec. 

Tracy: Okay. Honestly, that’s just a term that I came up with when I was a librarian, because a lot of the librarians I knew all drank gin and tonics, and we would sit around and talk about library stuff while drinking gin and tonics. So I would say gin formation professional when we were librarians. So I brought ginfoses. So I called it ginfosec coming over here and yeah, just the act of sitting around with gin and tonic talking about infosec stuff. 

Tracy: And it’s not literally gin, because then I always get people like, I don’t like gin or I don’t like it’s just it’s a vibe. 

Chris: It’s a name. 

Tracy: Yeah, it’s a mood. But, yeah, if you like gin, then yes, embrace. 

Chris: Um love it. Okay, well, Tracy, I just heard last call here. If you opened a cybersecurity themed bar, what would the name be and what would your signature drink be called? 

Tracy: Oh, boy. I feel like I’d have to call it Jimfosec. I feel like that has to be the name. And the signature cocktail would be yeah, probably like a blue coat. Just probably the drink that I already recommended. If I had more time to think of this, I’d be more creative. 

Chris: But no, I think that’s perfect. 

Tracy: I would love to have a gin bar and call it Ginfosec and have lock picking and drinks and stuff. I think that’s what the world needs. 

Chris: It is 100%. Listen, Tracy, thank you so much for venturing into Barcode. I had a great conversation with you, and I hope to see you again soon. 

Rohan: So nice talking with you. This has been great. 

Tracy: Absolutely. 

Chris: Take care.